Restructure
The restructure method is depicted in Figure 5.
In step one in the figure, we get new servers and create a pristine
Windows 2003 domain structure, including domains, OUs, Group Policies,
security structure, and so on. Then, in step two, obtain a migration
tool such as the Active Directory Migration Tool (ADMT) that Microsoft
provides on the Windows 2003 Server CD, or one from a third-party
company, and use it in step three to migrate the users and groups from
the old domain structure (Windows NT or 2000) to the new. Step four
shows migration of users and groups from resource domains to Windows
2002 OUs. This was not possible in the In-Place Upgrade method (that is,
you had to migrate users and groups from the resource domains to
Windows 2000 child domains and then migrate them to OUs in a single
domain). Unlike the in-place upgrade, this method allows you to use the
migration tools to stage the migration of users, groups, and computer
accounts; select the destination as a particular domain or OU; migrate
or change the users'passwords; and even test it to get a report of any
errors encountered.
The advantages of this method include
Flexibility allows
the collapse of many Windows NT domains into a single domain/OU
structure or to any other domain structure you want to use in a single
step. For
large organizations, this method allows you to stage the migration of
users over time to reduce the impact on users and calls to the help
desk. For
companies that have acquired or merged with one or more companies that
also have Windows NT or Windows 2000 domain structures (or both), this
is the way to merge them into a single structure. Very
sophisticated tools exist to allow you to design the project stages,
test the stages, and fix the errors before the actual migration,
reducing the risk of migration considerably. For
small organizations of 10,000 users or fewer or with only a few
different sites, ADMT v2.0, is available on the Windows Server 2003 CD
in the \i386\ADMT directory and as a free download from Microsoft's
download Web site. ADMT is also a handy tool for moving users,
groups, and computer accounts to new domains or OUs when reorganization
is required later on. No Pile On issues to worry about. No need to run ADPrep for a Windows 2000 domain structure. Less
risk in that the original domain structure and all the users, groups,
and computer accounts are left intact. The back out plan is to simply
re-enable the accounts in the old domain and force the clients to
authenticate back to the old domain.
The disadvantages to the restructure method include
Higher cost than
the in-place upgrade due to the investment in additional hardware and a
migration tool. However, if you are upgrading from Windows NT, you
likely want to get new hardware to meet the Windows Server 2003
specifications anyway, and you might be able to use the free ADMT from
Microsoft. Takes a longer time as opposed to the in-place upgrade, where users are migrated as the upgrade runs on the server. Must re-establish services, re-install applications, re-establish trusts, and so on. Unnecessary
if upgrading from Windows 2000 to Windows Server 2003. An in-place
upgrade is likely all that is required. Multiple environments have to be
maintained and support during the coexistence phase.
The process of restructure is pretty straightforward:
1. | Install new hardware and create the new AD infrastructure.
| 2. | Obtain a migration tool.
| 3. | Create trusts between the old domains and the new Windows Server 2003 domains.
| 4. | Re-establish services, service accounts, trusts, applications, and so on.
| 5. | Plan and migrate the users, computers, and groups.
|
As you can see from the
list of advantages and disadvantages, restructure is more appropriate
when migrating from Windows NT to Windows Server 2003 than from Windows
2000 unless a restructure of the namespace is required in a case such as
a merger or acquisition.
ProLiant Post-Upgrade Tasks
There are several points to consider in regard to the ProLiant server when upgrading to Windows Server 2003:
Make sure you enable SNMP. SNMP is disabled in Windows Server 2003 by default and is required by the ProLiant management agents. Re-team any NICs that were dissolved before the upgrade. After the teamed NICs are re-enabled, install the latest version of the ProLiant Support Pack (PSP). If Multipath Software was installed, install HP Smart Array Multipath Software v2.0.
Some of the current known issues encountered during the upgrade on ProLiant servers include
A Windows 2000
manual upgrade to Windows Server 2003 prompts a message, reporting the
need for CPQTEAM.DLL. Select cancel to continue the upgrade and install
PSP after upgrade completes. HP Smart Array Multipath Software v1.0 is not compatible with Windows Server 2003. Upgrade to v2.0. Software fault-tolerant volumes (dynamic disks) fail during driver upgrade or rollback. Restore from backup. Upgrading miniport driver for secondary device requires reboot. Startup and recovery server options revert back to default settings after an upgrade. Change back to the desired setting. ProLiant
Advanced System Management Controller Driver for Microsoft Windows
Server 2003 (CPQASM.SYS) will not load on the ProLiant 3000, 5500, or
6500. Use cp003476.exe.
Intra- and Inter-Forest Migrations
In addition to changing
the structure of the entire domain from Windows NT or Windows 2000 to
Windows Server 2003, there is usually an ongoing need to change the
structure of OUs, location of users, groups, and computers within a
forest, or between domains in a forest. In the case of a merger or
acquisition, you might need to perform a migration between Windows 2003
forests or from a Windows 2000 forest and a Windows Server 2003 forest.
These tools include
MoveTree:
Command-line utility that permits a move operation of objects between domains in a forest.
Ldifde:
Command-line utility that provides bulk migration of AD objects such as
users, groups, computer accounts, and even OUs between domains in a
forest and from forest to forest. Ldifde permits exporting AD objects
from the AD to a flat text file, as well as importing them into the AD.
Because the intermediary is a text file, you can export the objects,
make modifications to them such as adding additional attribute values,
and import them back into the same AD or into another. You can use
filters to export or import only desired classes of objects (such as
only users whose surnames begin with the letters P through Z) or only
certain attributes (such as changing the address of users at an office
that moved to a new location). Ldifde does not preserve the security
context or password.
CSVDE:
Much the same capabilities as Ldifde, but the intermediary file is a CSV file.
Dsadd:
Adds objects to the AD such as users, groups, computer accts, and OUs.
Dsmove:
Moves a single object, or multiple objects, within a domain. Can also rename them without a move.
Dsrm:
Command-line utility to remove objects from AD.
Dsmod:
Command-line utility to modify attributes of a user, group, computer, contact, OU, DC, quota, or partition.
Dsquery:
Queries the AD to find objects, including computer, contact, group, OU,
site, server, user, quota, or partition. It also allows the use of a
wild card (*). For instance, you could get a list of all objects (group,
OU, user, and so on) in a domain.
Dsget:
Command-line tool that displays properties of AD objects, including
computer, contact, subnet, group, OU, server, site, user, quota, and
partition. You can display all attributes or filter for certain ones.
Use of the wild card * is permitted.
All
these utilities are well documented in the Windows Server 2003 Help and
Support in the Start menu, and in the command line online help by
typing /? after the command. The additional power of these commands is realized by combining them in scripts. The ds* commands in the previous list are all new to Windows Server 2003.
|
